This page is for people to post application security news stories. Stories discussing the importance of application security, influential incidents, trends, metrics, or success stories are encouraged. This page is monitored, and particularly important stories will be copied to the front page. If you have comments about the stories, please use the "discussion" page.

+

{{Social Media Links}}

−

Please post new items at the top of the list using the following format:

+

__NOTOC__There are hundreds of bloggers, journalists, security researchers and hackers, and others who write about application security. And it would be nearly impossible to follow all of this material. To help with this onslaught of application security news, the OWASP team reviews over 130 of these sources and produces the OWASP '''Moderated''' Application Security News Feed. The OWASP team only selects high-quality posts focused on application security that advance the field, provide useful insight, or are useful educational resources.<!-- Old application security news stories can be found [[Application Security News|here]]. -->

:SecurityFocus article, "This article examines the dismal state of application-layer logging as observed from the authors’ years of experience in performing source code security analysis on millions of lines of code."

:A long paper on web application security threats released by honeynet.org. "This paper focuses on application threats against common web applications. After reviewing the fundamentals of a typical attack, we will go on to describe the trends we have observed and to describe the research methods that we currently use to observe and monitor these threats."

+

To add a news feed to our list [http://sl.owasp.org/contactus SUBMIT IT] for review.

−

; '''Feb 21 - OWASP Top 10 2007 rc1 feedback'''

+

==Stories==

−

:Lots of feedback on the new OWASP Top 10. See e.g. on [http://datasecurity.wordpress.com/2007/02/05/owasp-top-10-for-2007/ PCI DSS blog] with some interesting comments and of course Sylvan von Stuppe's comments on the [http://www.owasp.org/index.php/Top_10_2007 OWASP Top 10 RC1] can be found [http://sylvanvonstuppe.blogspot.com/2007/02/owasp-top-10-2007-update-rc1-a7-a8.html here](A7-A8), [http://sylvanvonstuppe.blogspot.com/2007/02/owasp-top-10-2007-update-rc1-a5-a6.html here](A5-A6), [http://sylvanvonstuppe.blogspot.com/2007/02/owasp-top-10-2007-update-rc1-a3-a4.html here](A3-A4) and [http://sylvanvonstuppe.blogspot.com/2007/01/owasp-top-10-2007-update-rc1-a1-a2.html here] (A1-A2). Last change to review the document prior to February 28th and provide feedback to the [http://lists.owasp.org/mailman/listinfo/owasp-topten owasp-topten@lists.owasp.org] mail list.

:"Search engine giant Google has issued an update for people running its powerful Desktop software. Researchers had demonstrated a potentially devastating security hole in the software that could allow bad guys to snoop on users' computers or even to install additional software."

:"The man responsible for unleashing what is believed to be the first self-propagating cross-site scripting worm has pleaded guilty in Los Angeles Superior Court to charges stemming from his most infamous hacking."

:"The Web application security threat is a real one. A failure to respond to this threat will result in real risk to any enterprise that stores financial or customer data. While the problem is a serious one, it is not something that cannot be fixed so long as proper attention and budget are allocated to it. Unfortunately, given the unique nature of the problem and its impact on the budgetary process, it will likely require direct intervention by the financial staff."

:" According to the report, which was developed by the IBM Internet Security Systems (ISS) X-Force(R) research and development team, there were 7,247 new vulnerabilities recorded and analyzed by the X-Force in 2006, which equates to an average of 20 new vulnerabilities per day. This total represents a nearly 40 percent increase over what ISS reported in 2005. Over 88 percent of 2006 vulnerabilities could be exploited remotely, and over 50 percent allowed attackers to gain access to a machine after exploitation. "

:"Given what I've seen about voting system standards and voting system testing labs, I would bet money that the parking garage system at Baltimore Penn Station was tested more extensively before it was deployed than the Diebold voting machines that we use in Maryland."

: The newly formed Web Honeynet Project from SecuriTeam and the ISOTF will in the next few months announce research on real-world web server attacks which infect web servers with: Tools, connect-back shells, bots, downloaders, malware, etc. which are all cross-platform (for web servers) and currently exploited in the wild.

: He lies. Especially about security flaws. This article notes an increase in vulnerabilities found in open source packages and concludes that... "For the personal sites and the mom-and-pop stores that rely on the software, it certainly affects them," Martin said. "But larger companies likely aren't affected." Right.

: Jeremiah Grossman just released his (unscientific) survey with lots of very interesting data. Make sure you check out section '11) Top 3 web application security resources' which is a nice database of the most popular vulnerability assessment tools and knowledge resources (#1 was RSnake's Blog, and #2 was OWASP :) )

: A MoneyGram International server has been breached, allowing cybercrooks access to the personal information of nearly 80,000 people. Hackers accessed the server through the web sometime last month, the money-transfer company said in a statement released on Friday.

:''More than a decade into the practice of vulnerability disclosure, where do we stand? Are we more secure? Or less?'', three good articles: [http://www2.csoonline.com/exclusives/column.html?CID=28071 Microsoft: Responsible Vulnerability Disclosure Protects Users] , [http://www2.csoonline.com/exclusives/column.html?CID=28073 Schneier: Full Disclosure of Security Vulnerabilities a ’Damned Good Idea’], [http://www2.csoonline.com/exclusives/column.html?CID=28072 The Vulnerability Disclosure Game: Are We More Secure?] and [http://www.csoonline.com/read/010107/fea_vuln.html The Chilling Effect]

: Critical XSS flaw that is trivial to exploit here in all but the very latest browsers. Attackers simply have to add a script like #attack=javascript:alert(document.cookie); to ANY URL that ends in .pdf (or streams a PDF). Solution is to not use PDF's or for Adobe to patch the planet.

: Perhaps PHP should stand for Pretty Hard to Protect: A week after a prominent bug finder and developer left the PHP Group, data from the National Vulnerability Database has underscored the need for better security in PHP-based Web applications.

: "It's likely that in most incidents of people being killed as a result of software bugs (or IT systems bugs), the software wasn't thought to be safety-critical at all. For example, a word-processor failing to recognize that a print request has failed, resulting in a patient not getting a letter giving a hospital appointment. Or someone committing suicide because of an incorrect bank statement." Michael Kay on the xml-dev list, 8/17/2005

: An attacker can find out whether you're logged into your favorite website or not. They include a script tag where the src attribute doesn't point to a script, but instead to a page on your favorite websites. Based on the error the script parser generates when trying to parse the HTML of the page that's returned, the attacker can tell whether you're logged in or not. Should extend to access control easily. Protect yourself with CSRF protection.

: Why not just say what measures you've really taken? Are all developers trained? Do you do code review and security testing? "Jim Davis, UCLA's chief information officer, said a computer trespasser used a program designed to exploit an undetected software flaw to bypass all security measures and gain access to the restricted database that contains information on about 800,000 current and former students, faculty and staff, as well as some student applicants and parents of students or applicants who applied for financial aid. 'In spite of our diligence, a sophisticated hacker found and exploited a subtle vulnerability in one of hundreds of applications,' Davis said in the statement."

: MySpace and Apple show how NOT to handle security incidents (see also [http://blog.washingtonpost.com/securityfix/2006/12/how_not_to_distribute_security_1.html How Not to Distribute Security Patches])

+

−

+

−

; '''Nov 28 - [[OWASP JBroFuzz|JBroFuzz 0.3 Released]]'''

+

−

: This version adds a more stable core, length updating for fuzzed POST requests and allows you to specify your own fuzz vectors in a separate file.

: "We do not credit security researchers who disclose the existence of vulnerabilities before a fix is available. We consider such practices, including disclosing 'zero day' exploits, to be irresponsible." So the question on everybody's mind - is the [http://www.oracle.com/security/software-security-assurance.html Oracle Software Security Assurance] program real? Or are David Litchfield and Cesar Cerrudo right that Emperor has no clothes?

: Nice article making the point that Ajax is not inherently insecure. Read it carefully folks - it isn't easy to build a secure Ajax application, just possible. And remember that although the article doesn't mention it, Ajax apps use new parsers and interpreters that haven't been very well tested for security.

: A paper from NIST argues that touchscreen voting machines are "more vulnerable to undetected programming errors or malicious code" and that "potentially, a single programmer could 'rig' a major election."

: David Litchfield presents some very compelling evidence that Microsoft's SDL is paying off. A very interesting read. Not surprisingly, Microsoft is [http://blogs.msdn.com/michael_howard/archive/2006/11/22/microsoft-beats-oracle-in-security-showdown.aspx gloating] a little.

: Ira Winkler - "If there is one line of code written overseas, that’s one line too many. Developing it in the U.S. is not perfect, but we are talking about an exponential increase in risk by moving it overseas." John Pescatore - the focus on offshore developers is "xenophobia" but said the software security concerns raised by the DOD should serve as a useful wake-up call for all organizations that buy software.

: "All the events of the third quarter of 2006 lead me to conclude that both the Internet and the field of information security are on the verge of something totally new. I would say that the second stage of both virus and antivirus evolution is now complete. The first stage was during the 1990s, which simple signature detection was enough to combat simple viruses. At this stage, malicious code was not highly technical and did not use complex infection methods."

: Great article by Ken van Wyk. He looks at the 41% increase in published software vulnerabilities and points out that there is not a corresponding 41% increase in the amount of software, a 41% more people looking for vulnerabilities, or more researchers looking. He concludes there's a significant shift in profit motive. Caveat browsor.

: "More than 90 percent of the participants in several focus groups said they didn't want to use a token to access accounts online or by phone. "The response we got was, 'Don't tell me I have to carry something to get access to my money. It's your job to protect my money, and if you don't do your job I'll find someone who will,'" says Cullinane, who is CISO of Washington Mutual, the nation's largest savings bank. "It was rather startling to get that from them."

: "It's becoming an emerging area of interest for enterprises to address application portfolios and review their applications for security. The other angle is, when developing code, making sure that security is taken into consideration throughout the SDLC, instead of just testing during QA prior to GA or prior to releasing to production."

: "ESG believes that other ISVs should embrace an SDL model as soon as possible and that enterprise organizations should mandate that technology vendors establish a measurable and transparent SDL process by 2008 or risk losing business."

:JBroFuzz is a stateless network protocol fuzzer for penetration tests. Written in Java (exe also available) it provides a number of generators, as well as basic checks involving SQL injection, Cross Site Scripting (XSS), Buffer/Integer Overflows, as well as Format String Errors.

: Micheal Sutton experimented with a survey of sites that have a parameter named "id" in the URL. He finds that 11.3% of them cough up a SQL error. "The statistics are significant as they provide evidence of the prevalence of web application vulnerabilities. Coverage of this issue has however been somewhat misleading as reports have suggested that it is a measure of what attackers are doing."

: Michael argued convincingly for a comprehensive application security education program first, then use of tools, threat modeling, and code review. His presentation and all the rest are on the [[OWASP_AppSec_Seattle_2006/Agenda|conference page]]

: "Hackers have been breaking into customer accounts at large online brokerages in the United States and making unauthorized trades worth millions of dollars as part of a fast-growing new form of online fraud under investigation by federal authorities. E-Trade Financial Corp. said last week that "concerted rings" in Eastern Europe and Thailand caused their customers $18 million in losses in the third quarter alone. Another company, TD Ameritrade, the third-largest online broker, also has suffered losses from customer account fraud, but a spokeswoman declined to quantify the amount yesterday. "It is an industry problem. It does continue to grow."

: All you did was load a web page - how did that add movies to my Netflix account? [[Cross-Site Request Forgery]] attacks are usually as simple as image links to another site. If you're logged in, the attack succeeds. Netflix got burned, but many sites are susceptible to this attack.

: Welcome Bill! "Rather than simply building big walls around their networks, developers must become proactive about security and include it from the beginning of an application's development. They must consider the possible threats to the system and review source code-the software's blueprint-for security flaws, thereby vastly improving overall security."

: "IPv6 is just another network protocol, and if you look at where the problems are occurring in computer security, they're largely up in application space. From a security standpoint IPv6 adds very little that could offer an improvement: in return for the addition of some encryption and machine-to-machine authentication, we get a great deal of additional complexity. The additional complexity of the IPv6 stack will certainly prove to be the home of all kinds of fascinating new bugs and denial-of-service attacks."

+

−

+

−

; '''Oct 15 - [http://link RSnake says IE7 sucks less for XSS]'''

+

−

: Everybody revamp your blacklists (wish you'd done a whitelist now?) - "IE7.0 appears to be quite an improvement in overall security though. I’m glad the JavaScript directive has been relegated to IFRAMEs and HREFs rather than being possible anywhere a location was - thereby definitely reducing the attack surface for the newest browser from Microsoft"

: News flash: it is possible to write an insecure Ajax application, especially if you don't understand the technology. But that's no different from any programming environment. We need [[OWASP AJAX Security Project|guidelines]] and more research, not more FUD.

: "Cross-Site Request Forgery (aka CSRF or XSRF) is a dangerous vulnerability present in just about every website. An issue so pervasion and fundamental to the way the Web is designed to function we've had a difficult time even reporting it as a "vulnerability". Which is also a main reason why CSRF does not appear on the Web Security Threat Classification or the OWASP Top 10. Times are changing and it’s only a matter of time before CSRF hacks its way into the mainstream consciousness." (Ed: We're revising the Top 10 for 2007 - feel free to come join us!)

: crossdomain.xml allows Flash-based CSRF attacks. Chris Shiflett demonstrates how to report such problems and work with the site owners to fix a potentially damaging loophole. "After disclosing the security vulnerability in Flickr (a result of its crossdomain.xml policy), a number of other major web sites have been identified as being vulnerable to the same exploit - using cross-domain Ajax requests for CSRF. Among these new discoveries are YouTube, Adobe, and MusicBrainz."

+

−

+

−

; '''Oct 2 - [http://searchappsecurity.techtarget.com/originalContent/0,289142,sid92_gci1219789,00.html Static analysis - an important part of a balanced breakfast]'''

+

−

: "The fact that we can say we do a code review as part of our development process gives [customers] comfort, and it demonstrates the maturity of our risk management process when it comes to code, and the fact that it's part of our overall program."

: "Of course, error handling and verification is ugly, annoying, inconvenient, and thoroughly despised by programmers the world over. Sixty years into the computer age, we still aren't checking basic things like the success of opening a file or whether memory allocation succeeds. Asking programmers to test each byte and every invariant when reading a file seems hopeless -- but failing to do so leaves your programs vulnerable to fuzz."

: "Less than two years into the great cultural awakening to the vulnerability of personal data, companies and institutions of every shape and size -- such as the data broker ChoicePoint, the credit card processor CardSystems Solutions, media companies such as Time Warner and dozens of colleges and universities across the land -- have collectively fumbled 93,754,333 private records."

: "Google acknowledges that its index can be misused. “Search engines reflect what is on the Web,” said Barry Schnitt, a Google spokesman. “We still work to try to prevent and stop exploits and encourage Webmasters to employ best practices and effective security for their Web sites.” On Google’s site you can find tips on how to remove sensitive data from its index, for example."

: "The bottom line, though, is that installing a Web application firewall makes sense if you're willing to spend time tuning and understanding the rules. While Web application firewalls may come with some default rule sets, customers said they got the biggest bang when they understood their Web applications and how they worked."

: Visa has analyzed a their actual compromises and concluded that [[SQL injection]] is the most problematic application security problem. "A successful SQL injection attack can have serious consequences. SQL injection attacks can result in the crippling of the payment application or an entire e-commerce site."

: This blog post argues "[[OWASP AJAX Project|Ajax]] applications can be made as highly-secure as the web technologies upon which the Ajax model is based." Even if that was the goal, it misses the point. The complexity and lack of tools for building and testing Ajax applications makes them ''far'' more difficult to assure.

: "According to a June 2006 survey of 400 U.S. based software developers that was commissioned by Symantec, an overwhelming 93 percent felt that secure application development was more of a priority now than three years ago. Also 70 percent indicated that their employers emphasize the importance of application security, 74 percent indicated that security was a high priority in their development process, yet only 29 percent stated that security was always part of the development process."

: Well of course 21.5% of reported vulnerabilities are XSS. They're very easy to find and every web app has them. (Prove yours doesn't - seriously). Note: If you check this data and [http://news.zdnet.co.uk/internet/security/0,39020375,39283373,00.htm conclude] that browsers are the biggest problem, you need to check it again.

: "Less rigor in Web programming, an increasing variety of software, and restrictions on Web security testing have combined to make flaws in Web software the most reported security issues this year to date, according to the latest data from the Common Vulnerabilities and Exposures (CVE) project."

: "Customization has created custom vulnerabilities. Custom code does not undergo the same QA testing as commercial code does. All major applications [need] custom code and this is one of the biggest issues facing application security. But what is even worse about this is any vulnerability you have in your system is yours and no one else will find it but you."

: Monoculture is a danger to security, but this article points out that the most dangerous monoculture is "not of software but of pervasive carelessness among application developers, system administrators and users—carelessness that persists today."

: "We've consulted with all the top computer scientists around the United States on the software security issues and they've all told us one thing: 'It isn't currently possible to create technology that is 100-percent secure and trying to do that would be so cost prohibitive"

: "Web applications tend to be written less tightly than other applications," says Alan Paller, director at the SANS Institute...But because the desktop model really isn't any better, and is in some ways worse, "Security will drive people to centralized applications." (There's a peek into Google's security process in this article - verdict: Distributed!)

: The U.S. Department of Education has disabled its Direct Loan Servicing System, the online payment feature of its Federal Student Aid site, because of a software glitch that exposed the personal data of 21,000 students who borrowed money from the department, said Education Department spokeswoman Jane Glickman.

: Tools give a warped perspective on software security. They overemphasize stuff they're good at finding, and completely miss critical flaws. Get your people and process aligned on secure coding, and then it will be easy to see which tools really help you.

: "The problem was Yahoo Mail's handling of attachments. By creating an HTML attachment with different encoding schemes, one could have bypassed Yahoo Mail's security filter and executed malicious JavaScript code"

: "The BeanShell provides a convenient means of inspecting and manipulating a Java application during execution. This allows the security tester to bypass security controls on the client and verify the security controls on the server. It also allows for the automation of tedious tests such as brute force testing."

: "I was put at ease the moment I saw that each article was hinting at the researchers having made an assumption that every target has been infected with a keylogger. A bit of an unreasonable assumption if you ask me, and I think at this point it stops being "news" however the vulnerability is quite interesting..."

: "...PCI's creators may address some prioritization issues in an updated version of the standard, which could be completed by the end of the summer or this fall. The upgraded standard also is expected to contain new provisions for conducting '''[[:Category:OWASP Code Review Project|software code reviews]]''', identifying all outside parties involved in payment transactions and ensuring merchant data in hosted environments is adequately partitioned.

: "SPI Dynamics has published documentation and a live exploit of a significant javascript flaw. This appears to be a fundemental flaw in the scripting language and it impacts at least all IE browsers."

: "We picked two among the top social networking sites with a reported combined user base of 80 million. Within half an hour we had discovered over half a dozen potentially "wormable" [[XSS]] vulnerabilities in each site! We stopped looking after finding half a dozen, but we are sure there are a lot more holes in there. With about a day's work a malicious attacker with a half-decent knowledge of javascript could create a worm using just one of these vulnerabilities."

: The [[OWASP Top Ten]] was originally drafted with government in mind, but most agencies have steadfastly ignored the risk. "Instead of relying on firewalls, IDSes and compliance teams preparing documents, leaders within organizations need to put new emphasis on a secure software development lifecycle."

: "In fact, fuzzing tools appear to be the source of the deluge of Office flaws. Once considered a crutch for the lowest form of code hacker - the much-denigrated "script kiddie" - data-fuzzing tools have gained stature to now be considered an efficient way to find vulnerabilities, especially obscure ones."

: Daring people to sue for negligence, PayPal ignored a 2004 notification of a "[[cross Site Scripting|cross site scripting]] attack that affected donation pages for suspended users." This "is the exact method exploited by the phishing attack in June 2006."

: "From January through March, we blocked anywhere from 100 to 200 [[SQL Injection]] attacks per day. As of April, we have seen that number jump from 1,000 to 4,000 to 8,000 per day...The majority of the attacks are coming from overseas, and although we certainly see a higher volume with other types of attacks, what makes the [[SQL Injection]] exploits so worrisome is that they are often indicative of a targeted attack."

: "Microsoft has removed a large body of tried and tested code and replaced it with freshly written code, complete with new corner cases and defects...Vista is one of the most important technologies that will be released over the next year, and people should understand the ramifications of a virgin network stack."

: "The way the standard reads today, all provisions are treated equally, Litan says. She expects PCI's creators may address some prioritization issues in an updated version of the standard, which could be completed by the end of the summer or this fall. The upgraded standard also is expected to contain new provisions for conducting software code reviews."

: "On average, 50%-70% of attacks experienced by web applications come from bots and bot networks searching for known vulnerabilities...The effect is much like a storm raging over a landscape – the probes are sprayed throughout the Internet and ceaselessly (and somewhat randomly) hit web applications."

: Imagine there was liability for software vendors. They would introduce "an interesting new paradigm of programming. Methods of this school of programming could include: Do something random, procrastination, decoy, blame someone else, and Inject errors in other running programs."

+

−

+

−

; '''Jul 17 - [http://link Give offensive coding a try...]'''

+

−

: "Spurious null checks are a symptom of bad code. That’s not to say that null checks are wrong. If a vendor gives you a library that can return null, you’re obliged to check for null. And, if people are passing null all over the place in your code, it makes sense to keep putting some null checks in, but, you know what? That just means that you’re dealing with bad code"

: Joshua Bloch (of Java Puzzlers fame) discovered this [[Integer overflow|overflow]] that affects Arrays.binarySearch() and any other divide-and-conquer algorithms (probably other languages as well). "The general lesson that I take away from this bug is humility: It is hard to write even the smallest piece of code correctly, and our whole world runs on big, complex pieces of code."

: Yet another pointless article discussing whether open-source or closed-source is more secure. The truth is that your application should be secure even if an attacker has the source. If you're using a source code control system (and you absolutely should), there are copies of your code all over the place. So get over it - secrecy isn't a countermeasure.

: "The site asks for your user name and password, as well as the token-generated key. If you visit the site and enter bogus information to test whether the site is legit -- a tactic used by some security-savvy people -- you might be fooled. That's because this site acts as the "man in the middle" -- it submits data provided by the user to the actual Citibusiness login site. If that data generates an error, so does the phishing site, thus making it look more real."

: "Visa U.S.A. Inc. and MasterCard International Inc. will release new security rules in the next 30 to 60 days for all organizations that handle credit card data, a Visa official said this week. The rules will be the first major updates to the one-year-old Payment Card Industry (PCI) data security standard, which analysts said is slowly but surely being adopted. Extensions are aimed at protecting credit card data from emerging Web application security threats."

: RSnake writes about [[XSS]], [[CSRF]], and [[Open redirect|open redirect]] problems in google.com. "While surfing around the personalization section of Google I ran accross the RSS feed addition tool which is vulnerable to XSS. The employees at Google were aware of XSS as they protected against it as an error condition, however..."

: "Google Web Toolkit's conflation of client-side and server-side code is inherently dangerous. Because you program everything in the Java language, with GWT's abstraction concealing the client/server split, it's easy to be misled into thinking that your client-side code can be trusted at run time. This is a mistake. Any code that executes in a Web browser can be tampered with, or bypassed completely, by a malicious user."

: "The six billion people of the world can be divided into two groups: (1) People who know why every good software company ships products with known bugs. (2) People who don't. Those of us in group 1 tend to forget what life was like before our youthful optimism was spoiled by reality. Sometimes we encounter a person in group 2, perhaps a new hire on the team or even a customer. They are shocked that any software company would ever ship a product before every last bug is fixed."

: "Track data from magnetic strips isn’t necessary to process credit card transactions but is valuable to hackers and identity thieves because it can be used to make counterfeit cards, said Avivah Litan, an analyst at Gartner. The data is often automatically saved by payment applications because developers assumed it was needed. In fact, many merchants may be unaware that their payment applications collect and cache the track data, leaving the data unprotected while giving the merchant a misplaced sense of security, Visa’s Elliott said."

: SOA Security Architect interviews Jeff Williams on OWASP and SOA security. Jeff answers questions about SOA security, talks about the limitations of SOA appliances, and the future of WS Security and web services. "They think that they are getting 80% protection, but they really aren’t. I think the false sense of security is the most dangerous risk of using these appliances. The same sort of thing applies to using application scanning technologies."

: On the same day that Neosmart makes the ridiculous claim that [http://neosmart.net/blog/archives/194 XSS is not a vulnerability], a hacker has highlighted an [[XSS]] flaw in citibank.com and claims dozens more major sites have similar problems. It's not rocket science, but of course it's a [[:Category:Vulnerability|vulnerability]].

: A pretty complete writeup about the exploit of an [[XSS]] flaw in PayPal - "The scam works quite convincingly, by tricking users into accessing a URL hosted on the genuine PayPal web site. The URL uses SSL to encrypt information transmitted to and from the site, and a valid 256-bit SSL certificate is presented to confirm that the site does indeed belong to PayPal; however, some of the content on the page has been modified by the fraudsters via a cross-site scripting technique ([[XSS]]). When the victim visits the page, they are presented with a message that has been 'injected' onto the genuine PayPal site that says, "Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to Resolution Center." After a short pause, the victim is then redirected to an external server, which presents a fake PayPal Member log-In page."

: The unbelievable story of what a disgruntled developer can do - "2,000 of the company's servers went down, leaving about 17,000 brokers across the country unable to make trades. Nearly 400 branch offices were affected. Files were deleted. Backups went down within minutes of being run. The system was offline for more than a day, and UBS PaineWebber -- which was renamed UBS Wealth Management USA in 2003 -- spent about $3.1 million in assessing and restoring the network. Executives at the company haven't reported how much was lost in business downtime...The agent executed a warrant on March 21, 2002, and allegedly found hard copy of the logic bomb's source code on the defendant's bedroom dresser. The Secret Service also allegedly found the source code on two of his four home computers."

: "Microsoft senior vice president Bob Muglia opened up TechEd 2006 in Boston Sunday evening by proclaiming that Windows Vista was the '''most secure operating system''' in the industry...Windows Vista is the first operating system from Microsoft to be built from the ground up using the SDL development model. Every bit of code is scrutinized for Common Criteria Certification and security compliance checkpoints must be met along the way."

: "According to our research, what people really needed wasn't a Universal Hammer after all. It's always better to have the right kind of hammer for the job. So, we started selling hammer factories, capable of producing whatever kind of hammers you might be interested in using. All you need to do is staff the hammer factory with workers, activate the machinery, buy the raw materials, pay the utility bills, and PRESTO...you'll have *exactly* the kind of hammer you need in no time flat."

: "A lot of people think that errors and defects and stupid mistakes are things that the "lesser programmers" make. One of the things that I've found is that tools find insanely embarrassing bugs, written in production code, by some of the very best programmers I know. People start thinking, "Because we have smart employees, we have a good development process; we're not going to have stupid bugs." But no. Everybody, every process, every person makes stupid mistakes. It just happens. The question is, What do you do to find and eliminate your stupid mistakes after they occur? Because they're going to occur."

: "...Customers now want more assurance about information security. In the early days, the client-to-server connection for payment was encrypted with SSL, giving the illusion that the transaction was protected. But information security is much more than a requirement to protect credit card details in transit between a client and a server. It is built on three legs: confidentiality, availability and integrity."

: "All I said anywhere is quality, quality, quality, quality, quality. The betas are just out: Quality, quality. I get an e-mail from a customer who's says 'I'm worried about the following problem with the beta.' That's what betas are about. I say: 'don't worry. Quality, quality. We're just working on quality.' We will ship quality, '''security''', quality. The features set is all there. Now it's all about performance, quality, quality. If I get e-mail 'Should I worry about what you're going to ship if you're forced to ship on blah blah blah?', I say 'quality."

+

−

+

−

; '''Jun 4 - [http://online.wsj.com/public/article/SB114903737427467003.html How to irritate users in the name of security]'''

+

−

: "CAPTCHA's flaws are prompting academics, independent computer programmers and some Web companies to craft new variations that they hope will be easier for humans to decipher but harder for computer programs."

: 1,000,000 more Americans information can sleep well at night knowing that their information is being safely protected by the free credit monitoring they get. If you're playing fast and loose with people's data, you should get familiar with [http://en.wikipedia.org/wiki/Res_ipsa_loquitor res ipsa loquitor].

: "Software is always going to have bugs because there are human beings behind it doing the development. Hopefully, universities teach secure coding practices...Hopefully, there will be an educational process and companies will actually do source code audits before they release their software and also train their people in secure coding practices."

: "Keep the flaws out from the beginning and you have bought yourself several pounds of prevention. Baking security in up front is logical and makes good technical and business sense; however, getting your developers on board with security training is not necessarily going to be an easy task."

: "The pressure to deal with the problem of unreliable and insecure software is building, and the industry has reached a tipping point...it is now chief executives who are complaining that what they are getting from their vendor is not acceptable in terms of software assurance." She also argues that Brits make good hackers because they have criminal behavior.

If you're interested in the list of sources that are reviewed to make the OWASP Feed, here is the list:

−

: "Applications using 'ad-hoc methods to "escape" strings going into the database, such as regexes, or PHP3's addslashes() and magic_quotes' are particularly unsafe. Since these bypass database-specific code for safe handling of strings, many such applications will need to be re-written to become secure."

: "We track the security training completion status of each developer and provide regular reports on training compliance to development management and to senior corporate management to ensure a level of security training is maintained in each organization."

+

Revision as of 20:31, 2 March 2013

Share this:

There are hundreds of bloggers, journalists, security researchers and hackers, and others who write about application security. And it would be nearly impossible to follow all of this material. To help with this onslaught of application security news, the OWASP team reviews over 130 of these sources and produces the OWASP Moderated Application Security News Feed. The OWASP team only selects high-quality posts focused on application security that advance the field, provide useful insight, or are useful educational resources.